New cybersecurity tools and techniques for cloud-based manufacturing software show promise in the fight to secure critical factory-floor data and machinery
Cybersecurity casts a long shadow over networks of all kinds, from banking and retail businesses to government, energy, healthcare, utilities, and large-scale industrial manufacturing operations. Hardly a day passes without dire headlines warning of the latest consumer, commercial or government data breaches over the Web, as clever hackers employ myriad phishing schemes, viruses and malware that exploit corporate network vulnerabilities and, quite often, the gullibility of users unaware of cybersecurity dangers. With more factory assets getting connected to the Web, particularly with the coming explosion of Internet of Things (IoT) devices, today’s manufacturing management must look for rock-solid technologies for securing their factory-floor machinery and the mission-critical intellectual property assets that now often reside in cloud-based software.
Hack attacks on industrial manufacturing networks have been more rare, with the highest-profile case being the Stuxnet worm that infected the industrial equipment controlling Iranian nuclear centrifuges about five years ago. Since the attack, it has been widely speculated that it was the result of work by the US and Israel. In that case, Stuxnet was a zero-day exploit worm designed to embed computer code into the Siemens Simatic PLCs and STEP 7 software used to control the Iranian centrifuges. The worm caused the centrifuges to run improperly and eventually damaged the systems.
More recently, a German steel manufacturing plant’s operation was severely hampered last year and shut down after cyber thieves breached its security defenses. The German steel mill’s blast furnace was compromised by malicious code that entered the network through the company’s business systems, causing an eventual plant shutdown.
Connected Factories’ Vulnerability
As manufacturers move toward more-connected factory systems, there’s even greater demand for highly secure systems to keep hackers away from manufacturing networks’ wealth of IP data and mission-critical plant-floor equipment. “In the lifecycle of product development, there is a wide range of systems, and a lot of the elements along that chain were not designed for security,” said Jim Barkley, associate director, Digital Manufacturing Commons, at the Digital Manufacturing and Design Innovation Institute (DMDII; Chicago), of PLCs, network streams, and other factors. “Manufacturing generates more data annually than any other sector of the economy. There’s a lot of potential there. You need controls at every trust boundary—at the machine level, the operating layer, and at the PLCs.”
Securing industrial networks is exacerbated by the sheer volume of newly connected machines, as machine tool builders and machine control suppliers have embraced newer technologies like the open-architecture MTConnect XML-based standard for machine tool data exchange on the shop floor, connecting and gathering much greater volumes of manufacturing data to leverage the goldmine of manufacturing process metrics coming off the shop floor (see “Why Manufacturing Needs Data Collection” in the October 2015 issue of Manufacturing Engineering and at http://tinyurl.com/oq7kodn.)
Industrial cyber attacks have largely flown under the radar, without garnering the widespread reporting required for those on financial, government and other targets. “Most manufacturing companies are not required to publish information about cyber attacks. However, the Department of Homeland Security ICS-CERT does maintain information, published on an annual basis, on cybersecurity attacks on industry,” said Rajiv Sivaraman, vice president and Head of Plant Security Services, Siemens US Digital Factory (Norcross, GA). In fiscal year 2014, for example, the Department of Homeland Security publication entitled ICS-CERT Year in Review (2014) documented 245 reported incidents, he said. “Looking back at prior reports, you will find that attacks focusing on industrial networks and equipment are generally increasing in frequency and sophistication.
“Aside from technological gaps, an important issue in industrial control systems [ICS] cybersecurity is the general lack of awareness,” Sivaraman said. “A lack of awareness of potential attack can lead to reduced investment on early detection and protection. This results in limited information about whether or not an attack actually occurred and the resulting impact.”
Leveraging Cloud Advantages
In many cases, going to cloud-based solutions offer organizations an edge in factors including lowered costs, speed of deployment and software design. Cloud software also can offer benefits in the cybersecurity realm, especially in costs and cloud optimization.
“Cloud-based software and related network technology enable more secure transmission of design data and status information,” Sivaraman said. “The likelihood of successful attacks that have the goal of stealing IP [intellectual property] can be reduced if the data is encrypted. Attacks that aim to disrupt operations, for instance by injecting false data or instructions, similarly can be reduced with encryption and other protection. With cloud-based software and good security controls, the confidentiality and integrity of design and production data can be improved.
“In general, Industrial Security solutions require a holistic approach based on different protection layers,” Sivaraman said. “These involve plant security, network security, and maintaining system integrity.” Plant security includes physical access to plant and industrial controls equipment, security policies and processes, and security awareness, he added. “Network security deals with the protection of automation components based on segmented production networks, secure separation of production and office networks, and the use of security cells/zones concepts.”
Costs are a major factor in cloud systems’ favor, particularly for any smaller to medium-sized manufacturing operation looking for securing systems in the cloud.
“I do think cloud computing can help,” said DMDII’s Barkley. “A lot of people have misgivings about cloud, but by and large I think the cloud industry is taking care of that. The cool thing about the cloud is it allows for virtualization of a lot of services. That’s the elastic sort of element to it, and it gives us new ways to disrupt hackers.”
The flexibility of the cloud gives users a real advantage, Barkley added, in dealing with the “advanced persistent threats” that can occur in cybersecurity breach attempts. “If you can rapidly switch IP addresses or networks, you disrupt that cycle,” Barkley said.
Lower costs of the cloud systems play a huge role, especially with a lot of the small to medium-sized mom-and-pop shops, he added. “They typically don’t have the capital to afford the top-end enterprise software suites, which can be pretty expensive, when you add in the costs of service, which often account for a larger share of the total cost of ownership of the lifecycle of use than the initial purchase price of the software.”
To counter the cost barrier, DMDII has an open project call—the DMDII-15-13 Cyber Security for Intelligent Machines—offering up to $2 million in funding for developers to bid to supply open-source cloud-based security software. One of the manufacturing research institutes created by the Obama Administration in 2014, DMDII is working on developing an open-source software tool that will be an open-architecture communication platform, and which will enable plug-and-play functionality across the entire digital thread. This software is called the Digital Manufacturing Commons, or DMC.
“We want to provide affordable tools,” Barkley said. “Many may be more of a SaaS [Software-as-a-Service] type—low cost, one-time pass, mostly automated.” The open-source software will aim to provide more of an “à la carte” type of approach to cybersecurity, to remove the cost burden from shops that typically can’t afford enterprise-scale software projects.
Affordable solutions for cloud computing are critical for smaller manufacturers looking to secure their networks. Concurrent Technologies Corp. (CTC; Johnstown, PA), an applied science research and development professional services organization, has recently worked with smaller manufacturers in the National Institute of Standards and Technologies’ (NIST; Gaithersburg, MD) Manufacturing Extension Partnership (MEP) program working in Pennsylvania. About 90% of its clients are government agencies, but CTC has started working with smaller manufacturers on projects involving the company’s cloud computing and Big Data analytics platforms, noted Vicki Barbur, CTC senior vice president and chief technical officer.
Manufacturers like Lockheed or Raytheon can afford large, sophisticated, cyber-secure network architectures, but smaller manufacturers simply don’t have the resources, Barbur said, and hence are much more vulnerable to cyber attacks. “How do we do that in a very cost-effective way?” Barbur said. “Small manufacturers are looking for cost-effective, simple systems.”
“The small manufacturers really don’t have the ability to employ large systems,” said Dom Glavach, CTC principal IS security engineer. “Everyone is definitely aware of the potential for breaches, and they’re looking for a starting point.”
CTC is helping small manufacturers with assessment tools for determining the best cybersecurity systems to fit their needs, he added, using the NIST Cybersecurity Framework as a model. “I really think that’s a question that every manufacturer needs to answer,” Glavach said. “Number one, you have to figure out what are your most important assets.”
Cloaking Your Cloud Assets
Among the more promising new applications is an open-source cloud version of the Software Defined Perimeter (SDP), a “Black Cloud” system that hides data from hackers, developed by cyber and digital risk management consultant Waverley Labs LLC (Waterford, VA).
While not quite a Star Trek Romulan cloaking device, Waverley Labs’ Black Cloud makes corporate or manufacturing data essentially invisible to potential hackers, moving or wrapping a company’s applications within an on-premises or in a public or private cloud, demilitarized zones (DMZ), a server in a data center, or even inside an application server. The Black Cloud concept, which has been deployed in large-scale systems at Lockheed Martin and other big manufacturers, is being adapted to an open-source model that Waverley is developing, and the company has submitted a bid for the contract with DMDII’s DMC open-source system.
“If you look at the grand security practices that have come out from NIST and other agencies, they require patching, updating and monitoring systems at the infrastructure layer,” said Juanita Koilpillai, Waverley Labs’ founder and CEO. Cloud vendors do a lot of work at the network, operating system level, and at the Software-as-a Service infrastructure layer, she said, but at the Infrastructure-as-a-Service (IaaS) layer, the customer is fully responsible for securing their systems. “Therein lies the rub,” Koilpillai said. “Everyone says ‘We are more secure,’ but what piece of it is more secure?
“Ultimately the security has to be implemented at all layers of the network stack, all the way from your wires to the user interface in the application,” Koilpillai said, “and that’s what the Software Defined Perimeter is all about. It’s actually a very new approach to protecting network applications. The model is set up so that only TCP [Transmission Control Protocol] connections from authorized connections are allowed, and the perimeter also issues the user-level access at the port and protocol level after user authentication, and that way connections cannot be recast or hijacked.”
The layer that validates and authenticates users and devices is hidden from potential network intruders, she noted. “It’s able to bring all that together to communicate with a server that’s literally hidden behind a firewall, and the firewall is only open when the user requests access. There’s a pinhole punched through the firewall, the communication’s performed, and then shut down. So the server is completely hidden from all network scanning and the common kind of efforts that are done by hackers initially to start looking for what they can hack.”
For most manufacturing operations, handling these cybersecurity tasks is difficult and time-consuming. “You have to make a lot of smart decisions based on your application,” Koilpillai said. “We feel that there’s a need for this.”
The company is collaborating on the open-source version with the Cloud Security Alliance, Verizon, and the Department of Homeland Security (DHS). A lot of Waverley’s work is with federal agencies, she added, and the Black Cloud concept can be easily adapted to the manufacturing world. The Black Cloud uses the Mutual Transport Layer Security (Mutual TLS) protocol, but Koilpillai added that in manufacturing, there may be a need for other protocols as well. “They’re worried about it. The TCP/IP type of communications have been used in the Internet for a long time,” Koilpillai said. “The manufacturing shop floor, the big data systems, and the IT systems are all interconnected. When you hook up this network, you need to extend your perimeter in order to hide the critical infrastructure, in this case the shop floor, to ensure that every message is authenticated and encrypted.”
Securing, Testing the Cloud
As cloud-based enterprise software has proliferated and become more popular for cost savings and other reasons, questions arose whether those cloud-secured assets are as secure as the on-premises versions of enterprise software. But many experts believe cloud software has many distinct advantages over on-premises software, including security.
“It’s pretty clear that attacks happen regularly,” said Kevin Hurley, executive vice president, Technology, KeyedIn Solutions Inc. (Minneapolis), developer of the KeyedIn Manufacturing cloud-based enterprise resource planning (ERP) software.
Securing cloud applications is a top priority, Hurley said, and KeyedIn employs high-end security from third-party supplier Dimension Data to lock down its ERP customers’ data. “You walk into some installations and it’s almost like a prison—some of these facilities use biometrics to enter,” Hurley said.
Cloud applications, properly executed, can offer users more effective security than some on-premises installations. “In some cases in an on-premises facility, people are busy doing other things—maybe security’s not the main priority, or they missed a security patch, maybe they’re not doing a denial of service security, or the software’s not the best from a security standpoint,” Hurley said. “Some of these software systems can be 10, 15, 20 years old. Any of those factors could put your on-premises systems at risk.”
With KeyedIn Manufacturing, users get an ISO 2700 compliant SaaS application, and KeyedIn makes sure its customers follow up on security policies, Hurley added. Customers’ data also is segregated from other customer data, and even within the client companies themselves, added Paul Leghorn, KeyedIn vice president, SaaS Infrastructure.
“There’s only a very small number of people here that can touch the data,” Leghorn said. With KeyedIn applications, customers also use two-step authentication, which bolsters security levels. “Typically we don’t re-authenticate within the session,” Leghorn added. “Your client administrators are in charge of that. They can have the confidence that no one can break in, because it’s your weakest point in your chain.”
For cloud-based PLM software developer Arena Solutions (Foster City, CA), security ranks at the top of the stack of priorities. “When we start with a customer, we actually start with how to secure their applications,” said Wenxiang Ma, executive vice president, Engineering and Operations.
In addition to multiple firewalls, Arena offers users dynamic access control, allowing administrators to have a very limited number of people who can access information, Ma said. “From the beginning, we do multiple firewalls. It’s a combination of hardware and software,” he said.
Arena PLM’s security model features Secure Sockets Layer (SSL) encryption, and username and password verification is provided by a hardened authentication service maintained separately from the main application service. Arena offers customers IP-based access restriction as an option, as well as a two-step authentication option, and data management security is the strongest available currently supported by browsers, using a 2048-bit RSA public key and up to 256-bit encryption.
Keeping hackers at bay requires not only innovation in cloud-based designs, but also vigilance by cloud users. Performing penetration tests on cloud network security is a must in today’s world, and these tests are best done by a third party, Ma said. “We go through a penetration test with a third party, which involves an application test and a network test,” Ma said. “The third party actually sets it up, but we pre-write it and then nobody knows when it will happen.” The company usually does the network tests at least once a year.
“We do our pen testing with a third-party IT security consultancy,” said KeyedIn’s Leghorn. “They test the code, the system and the SQL database, and the firewall itself. What ports are open? What they can discover about your system is important, because for hackers, this is their day job—understanding what people can do. It provides useful information and you have to do this on a regular basis, at least annually.”
With its pen tests, KeyedIn’s policy is to share that information under non-disclosure agreements with clients, Leghorn added. “You don’t want to give anything away. As a policy, we don’t allow the clients to do the pen testing, for the protection and stability of the entire service.”
This article was first published in the December 2015 edition of Manufacturing Engineering magazine.